(12) 



UK Patent Application ™GB ,,,,2294129 m) A 



(43) Date of A Publication 17.04.1996 



121) Application No 9420797.4 


(51) 


INT CL 6 




G21C 17/00 , G05B 23/02 , G21 D 3/02 3/04 


(22) Date of Filing 14.10.1994 








(52) 


UK CL (Edition O) 




(71) Applicants) 




G6C CDF C63X C63Y 


George Hans Lowe 




U1SS1905S1907 


32 Homestead Road, Rtvonia, Sandton, South Africa 








(56) 


Documents Cited 


(72) Inventor(s) 




EP 0411869 A2 EP 0099681 A1 US 4853175 A 


George Hans Lowe 






(74) Agent and/or Address for Service 


(58) 


Field of Search 




UK CL (Edition N ) G3N NGK2 NGK2A NGK2B NG1A1 


Gill Jennings & Every 




NG1A3 NG1A5 NG1A9 , G6C CDF 


Broadgate House, 7 Eldon Street LONDON, 




INT CL 6 G05B 9/02 23/02. G21C 17/00. G21D 3/02 


EC2M 7LH, United Kingdom 




3/04 3/06 
ONLINE:- WPI 



(54)* Fault monitoring system 



(57) An indicating system 10 for use in a plant where predetermined action is required upon the occurrence 
of a fault condition includes a data processing facility 12 and a data inputting facility 16 for inputting data into 
the data Processing facility 12. A graphic display device (Figure 2) is connected to the dat8 processing facility 
for displaying, in graphic form, action to be taken by an operator upon the occurrence of a particular fault 
condition. A time indicating unit 20 is connected to the data processing facility for indicating the time available 
to the operator to take the appropriate action to bring the plant to a required state. 




4<H 



Cd« motor dxlTM pap 40 "2« 
XDos»r*l* 403 O 

40-4--^ 

m 40-5 0 

qm uudiud 40*6—* *£f. 

rttdMUr i»ya U tl n g 11m 



X&op*rahl* 




,72 hi."""i- 



.-22 



22-2 



FIG 2 



FIG I 



o 

DO 



BfcST AVAILABLE COP t 



rO 

ro 

CO 

ro 

CO 



40 



20 



22;| 



-O 



OR 



■€> 



One motor driven pump 40-2 
Inoperable 40-3 — ho 

40 
40-5 

One associated 40'6 * +£f. 

Feedwater regulating line 
inoperable 40*7 - 

40-8- 
40- 
40-10* 
4011- 



FIG 2 




32 

[l2 hrs. "J^ 



^-22 



x _j 

22:2 
34- 



■o 



32 



r 



ONE MOTOR DRIVEN PUMP INOPERABLE 
OR 

ONE ASSOCIATED FEEDWATER LINE INOPERABLE 



POWER LEVEL OR OPERATING MODE 

® © o^o © iCf 6 b © o © 

r—~ r^^f**** 20 



7 o.-^72 hrs^j: 22-1 

* fe H°_ h f S "j 22-2 



PROHIBITED /~\ 
MODE 



.40 



-34 



DETAILED OPERATING INSTRUCTION (S) 



FIG 3 



I 

AN INDICATING SYSTEM 



THIS INVENTION relates to an indicating 
system. The invention relates particularly to an 
indicating system for use in a plant where predetermined 
action is required upon the occurrence of a fault 
condition. While the invention has particular 

application in nuclear power stations and will, for ease 
of explanation, be described with reference to that 
application hereinafter, it will readily be appreciated 
that the system could be used in other process plant 
applications. 

According to the invention, there is provided 
an indicating system for use in a plant where 
predetermined action is required upon the occurrence of 
a fault condition, the indicating system including 
a data processing means; 

a data inputting means for inputting data into the 
data processing means; 

a graphic display means connected to the data 
processing means for displaying, in graphic form, action 
to be taken by an operator upon the occurrence of a 
particular fault condition; and 
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a time indicating means connected to the data 
processing means for indicating the time available to 
the operator to take the appropriate action to bring the 
plant to a required state. 

Conveniently, the graphic display means may, 
additionally, display action to be taken in a narrative 
form. 

The graphic display means may be controlled by 
the processing means and is operable to display, in a 
graphic form, the action to be taken upon the occurrence 
of the particular fault condition. Thus, in the case of 
a nuclear power station, when a fault condition occurs, 
the display means may display the operating, failsafe or 
fallback state to which a reactor of the nuclear power 
station must be taken. Hence, for example, in the case 
of an auxiliary feedwater regulating line being 
inoperable, the lower state to which the reactor must be 
taken may be the normal intermediate shutdown state with 
residual heat removal system valved in. This must be 
effected within a specified time period. 

In this specification, the term "operator" is 
to be understood in a broad sense as referring to any 
personnel of the plant who would operate the plant 
and/or need to respond to a fault condition. 



The data processing means may comprise a 

computer. 

Then, the data inputting means could be in any 
one of a variety of formats. Thus, for example, the data 
inputting meains may include a manual inputting means, 
conveniently, a keyboard of the computer, by means of 
which the operator enters data into the data processing 
means. In addition, or instead, the data inputting means 
may include an automatic inputting means whereby, upon 
the occurrence of the fault condition, a signal is input 
into the data processing means. Further, if appropriate, 
the data inputting means could be an emergency response 
facility of the plant. 

The time indicating means may comprise a clock 
and a time display means, the time display means being 
driven by the clock to be decremented as time passes so 
that the operator has an indication of the reducing time 
available in which to carry out the necessary remedial 
action. 

The time display means may be in the form of 
a counter. The counter may be operable, under the action 
of the data processing means, to change format depending 
on the urgency of the situation. Hence, for example, 
upon the occurrence of a fault condition, the counter 
may flash in a particular colour, for example, white. 
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Thereafter, depending on the urgency of the situation, 
the displayed time may change colour, for example, to 
amber and then to red. 

The system may include a discernible alarm 
means * connected to the data processing means to be 
activated upon the occurrence of a particular incident, 
for example, when the counter changes colour. The 
discernible alarm means may comprise an audible alarm 
means and/or a visual alarm means. 

The alarm means may be of a continuous or 
"nagging" type which requires a positive response by the 
operator. Further, the alarm means may comprise an 
annunciator to alert a supervisor in a remote location. 

The system may include a data storage means 
which contains information relating to graphics of the 
graphic display means," the time indicating means as well 
as action taken by the operator upon the occurrence of 
the fault condition and how long the condition was 
allowed to continue before the required operating state 
of the plant was attained. 

The data storage means may, additionally, 
contain information relating to detailed procedures to 
be followed by the operator in carrying out the 
appropriate action. 
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The invention extends also to a method of 
operating a plant where predetermined action is required 
upon the occurrence of a fault condition, the method 
including 

graphically displaying a sequence of actions to be 
taken by an operator on the occurrence of a fault 
condition in the plant; and 

indicating permissible time limits in which the 
action must be taken. 

The method may include making available 
predetermined data to enable the sequence of actions to 
be displayed graphically. The data may be made available 
automatically or manually. 

The method may include displaying the time in 
a predetermined format and causing the displayed time to 
be decremented. 

The method may include displaying cascading or 
additive fault conditions or a decision tree to aid the 
operator in deciding upon appropriate remedial action or 
to prepare for possible future actions. 

Further, the method may include, as critical 
time periods are approached, causing the displayed time 
to change format, for example, causing the displayed 
time to change colour. 



Also, the method may include, upon the 
occurrence of a fault condition, activating an alarm 
means. 

The invention is now described by way of example 
with reference to the accompanying diagrammatic 
drawings. 

In the drawings, 

Figure 1 shows a schematic diagram of. ah indicating , 
system, in accordance with the invention; 

Figure 2 shows a first example of a display of the 
system; and 

Figure 3 shows a second example of a display of the 
system. 

Referring to Figure 1 of the drawings, an 
indicating system, in accordance with the invention, is 
- iHL-lustr^ by -the reference 

numeral 10. As indicated above, the system 10 is 
intended particularly for use in a nuclear power station 
environment and shall be described with reference to 
that application hereinafter. 

The system 10 comprises a data processing 
means in the form of a computing device 12. 
Conveniently, the computing device 12 is a personal 
computer (PC). A data inputting means 14 is connected 



to the computer 12. The data inputting means 14 can be 
in any one of a variety of formats. Thus, the data 
inputting means could be a manual inputting means such 
as a keyboard 16 of the computer. Access may be granted 
only after the insertion of a predetermined access code, 
to improve the security of the system 10. 

Instead, or in addition, the data inputting 
means could be an automatic inputting means such as a 
surveillance input via a push-button panel, or a 
"permit-to-work" (PTW) input, both of which are input 
via remote terminals using a predetermined access code 
at all times. Still further the computer 12 could be 
connected to an emergency response facility of the 
nuclear power station. This latter input may be 
effected from a process computer of the nuclear power 
station only. 

The system 10 includes a display means which, 
conveniently, is a screen display device 18 of the 
computer 12. The display device 18 displays thereon, in 
graphic form, action to be taken by an operator of the 
system 10 upon the occurrence of a particular fault 
condition, as will be described in greater detail below. 

The system 10 also includes a time indicating 
means, illustrated schematically at 20 in Figures 2 and 
3 of the drawings. The time indicating means 20 
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indicates the time available to the operator of the 
system 10 to take the necessary or relevant action. 

The time indicating means 20 comprises a clock 
(not shown) controlled by the computer 12 and a time 
display means or counter 22 which is driven by the clock 
to be decremented as time passes so that the operator 
has a ready indication of the reducing time available in 
which to carry out the necessary action. 

Where the display device 18 is a colour 
display unit, the counter 22, under control of the 
computer 12, can be caused to change colour depending on 
the urgency of the situation, as will be described 
below. 

The system 10 also includes a discernible 
alarm means 24 connected to the computer 12. The alarm 
means 24 includes an- audible- alarm -device 26, such as a 
siren or loudspeaker, as well as a visual alarm device 
28 such as a flashing light. The alarm means 24 may be 
activated, for example, when the counter 22 changes 
colour. 

The system 10 includes a data storage means 
30, indicated schematically as a database in Figure 1 of 
the drawings. The data storage means 30 contains 
information relating to the display graphics to be 



displayed on the display device 18 as well as to the 
time indicating means 20. The data storage means 30 
also retains the responses made and time to instigation 
of those responses. 

In a development of the invention, the data 
storage means 30 also contains information relating to 
the operating procedures and/or instructions to be 
followed by the operator in carrying out the necessary 
action as displayed by the graphic display device 18. 
Thus, for example, by pressing a predetermined key on 
the keyboard 16, the operator can access the operating 
procedures and instructions stored in the data storage 
means 30 which will be displayed on the display device 
18. It will be appreciated that, instead, the operating 
procedures could be displayed on a separate screen. 
These procedures may then be displayed immediately on 
the occurrence of the fault condition to improve the 
efficiency of the system 10;- 

The data stored in the data storage means 30 
may also be used to calculate or re-calculate the 
allowable or tolerable risk periods prior to the reactor 
power having to be reduced to reach a safe state, for 
example, probabilistic risk assessment for use in future 
incidents. 
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Upon the occurrence of a fault condition in 
the nuclear power station, the operator will be apprised 
thereof by the computer 12 becoming operational. 
Additionally, the alarm means 24 could be activated 
concurrently. Normally, the inputting of the fault 
condition into the ' computer 12 would occur 
automatically. Instead of automatic inputting of the 
fault condition, it will be appreciated that the fault 
condition could be entered into the computer 12 manually 
via the keyboard 16. 

Once the fault condition has been recorded by 
the computer 12, the computer 12 causes the appropriate 
graphic display to be displayed on the display device 
18. Simultaneously, the time indicating means 20 is 
also displayed on the display device 18. Initially, the 
maximum tolerable time period flashes in a first colour 
and the clock starts decrementing the time causing the 
""counter 22 to~ be -decremented." Initially, the time is 
decremented in hours only. 

Should it be possible to recover or correct 
the fault in a predetermined time, once the fault is 
corrected, this would be entered by the operator via the 
keyboard 16 to clear the fault condition and to reset 
the system. Instead, the clearance of the fault 
condition may be entered into the computer 12 
automatically via sensors of the plant. These sensor 
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could, for example, reflect the position of a valve or 
a circuit breaker. 

If it is not possible to clear the fault 
condition within the specified time period, the clock 
then continues to count down to a predetermined time 
before the so-called "drop-dead" time. At the 
predetermined time before the mandatory "drop-dead" 
time, an audible warning signal is given by the device 
26 of the alarm means 24. Simultaneously, the colour of 
the display device 20 changes to another colour and the 
counter 22 changes to a lesser time interval, for 
example, a minute display. 

At the "drop-dead" time, a further audible 
warning is given by the device 26 of the alarm means 24 
and the colour of the time indicating means 20 changes 
to yet a further colour. The frequency at which the 
time indicating-means -20 flashes increases. Further, a 
prohibited state above the present state is displayed on 
the display device 18. The prohibited state is one to 
which the plant must not normally be taken in present 
circumstances. 

Once a safe operating state has been reached, 
an audible signal is given by the device 26 of the alarm 
means 24. The lowest prohibited state is now displayed 
on the display 18 and blinks constantly. 
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In all cases, the audible warning given by the 
device 26 of the alarm means 24 is of a nagging or 
continuous type which demands a coded response or 
acknowledgment by the operator and/or will automatically 
alert a supervisor by default. 

As an example, a display 32 is shown in 
Figures 2 and 3 where a motor driven pump of the plant 
or an associated feedwater regulating line goes 
inoperable. When this occurs data relating thereto is 
entered automatically into the computer 12 or, instead, 
the operator enters the appropriate data into the 
computer via the keyboard 16. After entering of the 
data, this causes the display 32 as shown in Figure 2 
or Figure 3, as the case may be, to be displayed on the 
display device 18 of the computer 12. The time 
indicating means 20 is also displayed in the display 32. 
As indicated, in this example, two times 22.1 and 22.2 
are" shown-in -the--di-spl-ay-32. -T-he- time 22._1 flashes 
white and counts down at one hourly intervals. The time 
22.2 is a display, also in white. The time 22.1 is the 
overall tolerable period of risk for this fault 
condition. 

It is to be noted that, in the example given, 
the display 32 comprises eleven symbols 40 representing 
the eleven operating states of the nuclear power 
station. These symbols 40 represent the following 
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states : — 

symbol 40.1 - normal operating power of the 
reactor; 

symbol 40,2 - reduced operating power of the 
reactor; 

symbol 40.3 - hot standby; 

symbol 40.4 - hot shutdown; 

symbol 40.5 - normal intermediate shutdown; 

symbol 40.6 - normal intermediate shutdown with 
residual heat removal system in action; 

symbol 40.7 - monophasic intermediate shutdown; 

symbol 40.8 - normal cold shutdown; 

symbol 40.9 - maintenance shutdown; 

symbol 40.10 - refuelling shutdown; 

symbol 40.11 - refuelling shutdown with fuel 
removal . 

The time 22.2 is the irreducible period to 
-take- the nuclear reactor- af- the power station from the 
power state, as represented by symbol 40.1 , to an 
intermediate state, as represented by symbol 40.6 

The times 22.1 and 22.2 indicated give the 
operator an indication of the time available to him to 
correct the fault. In other words, in this example, the 
operator would have sixty two hours to correct the fault 
failing which the fallback procedure must be carried 
out. 
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In this case, the limiting conditions for 
operation (LCO) specify that the plant must be taken 
from its normal power state (40.1) to the normal 
intermediate shutdown state with residual heat removal 
system in action (40.6) in seventy two hours if no 
recovery is possible. 

when eleven hours remain, the colour of the 
timer 22.1 changes to amber and the count down changes 
to five minute intervals until "drop dead" time as 
indicated by the time 22.2 is reached. The time 22.2 is 
the minimum allowable time where attainment of the 
failsafe state (40.6) must be achieved. Thereafter, the 
time displayed by the time indicating means 20 changes 
to indicate to the operator the time available to move 
from the state represented by the symbol 40.1 to the 
state represented by the symbol 40.3 (in this case one 
hour) which flashes red. The time indicating means 20 
counts-this tiroe-down-in-f ive minute intervals for sixty 
minutes to zero time where flashing ceases, the colour 
changes to white and a prohibited state appears at 34 on 
the display 32 and is coloured yellow. The prohibited 
state display 34 in any LCO is used to depict the 
operating state which must not be entered from any lower 
state or mode without predetermined corrective action 
having been completed. 
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At nine hours to move from the state 
represented by the symbol 40.4 to the state represented 
by the symbol 40.6, a further time display changes from 
amber to red and starts flashing whilst counting down at 

i i 

0.5 hour intervals to the time at which the required 
state (40.6) must be attained. An audible signal is 
emitted via the device 26 of the alarm means 24 until 
completion is acknowledged. The prohibited state 
display 34 appears after the failsafe state (40.6) has 
been reached. It will be appreciated that, for lower 
mandatory fallback states, the displayed prohibited 
state 34 will be lowered accordingly. 

Should it be confirmed, in the first instance, 
that recovery of the fault is not possible within the 
sixty two hour time period, it may be decided to 
commence the ten hour fallback at once. Then, by 
pressing the appropriate key on the keyboard 16, the 
display- 3-2- -as shown — in" "Figure 2 or Figure 3 is 
immediately changed to the fallback display as described 
above. 

At all stages, a hard copy record is made of 
the situation for later analysis. 

Heretofore, as far as the applicant is aware, 
it has been necessary for operators to refer to manuals 
to ascertain what action needs to be taken in the event 
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of a fault condition arising. Interpretative debate is 
often necessary to interpret the manuals until it is 
decided to declare an official fault condition resulting 
in time wastage which can be critical. Handwritten 
memoranda keep track of the elapsed time in LCO's and if 
more than one LCO is active, it can be extremely 
difficult to track each LCO independently and accurately 
especially with long running LCO's which straddle shift 
changes. This has led to delays and errors occurring, 
which, in the case of nuclear power stations, could have, 
extremely serious consequences. 

With the provision of the indicating system 
10, in accordance with the invention, these problems 
are, to a large extent, obviated. The system 10 is 
further improved by having the information processed and 
displayed on a computer 12 where chances of human errors 
are reduced. 



The system 10 can be made failsafe in the 
event of a failure of, for example, computer hardware or 
power, by instantaneously switching to a standby 
computer, an uninterruptable power supply and/or 
triggering a special limiting condition which defaults 
to the use of LCO hardcopy manuals which are stored 
nearby. 
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CLAIMS 



1 . An indicating system for use in a plant where 

predetermined action is required upon the occurrence of 
a fault condition, the indicating system including 
a data processing means; 

a data inputting means for inputting data into the 
data processing means; 

a graphic display means connected to the data 
processing means for displaying, in graphic form, action 
to be taken by an operator upon the occurrence of a 
particular fault condition; and 

a time indicating means connected to the data 
processing means for indicating the time available to 
the operator to take the appropriate action to bring the 
plant to a required state • 

~27~ " The system as claimed in Claim 1 in which the 

graphic display means, additionally, displays action to 
be taken in a narrative form. 

3. The system as claimed in Claim 1 or Claim 2 in 
which the data processing means comprises a computer. 

4. The system as claimed in any one of the 
preceding claims in which the data inputting means 
includes a manual inputting means by means of which the 
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operator enters data into the data processing means* 

5 # The system as claimed in any one of the 

preceding claims in which the data inputting means 
includes an automatic inputting means whereby, upon the 
occurrence of the fault condition, a signal is input 
into the data processing means. 

6. The system as claimed in any one of the 
preceding claims in which the time indicating means 
comprises a clock and a time display means, the time 
display means being driven by the clock to be 
decremented as time passes so that the operator has an 
indication of the reducing time available in which to 
carry out the necessary remedial action. 

7. The system as claimed in Claim 6 in which the 
time display means is in the form of a counter. 

8. The system as claimed in Claim 7 in which the 
counter is operable, under the action of the data 
processing means, to change format depending on the 
urgency of the situation. 

9. The system as claimed in any one of the 
preceding claims which includes a discernible alarm 
means connected to the data processing means to be 
activated upon the occurrence of a particular incident. 
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10. The system as claimed in Claim 9 in which the 
alarm means is of a continuous type which requires a 
positive response by the operator. 

11. The system as claimed in any one of the 
preceding claims which includes a data storage means 
which contains information relating to graphics of the 
graphic display means, the time indicating means as well 
as, action taken by the operator upon the occurrence of 
the fault condition. 

12. The system as claimed in Claim 11 in which the 
data storage means, additionally, contains information 
relating to detailed procedures to be followed by the 
operator in carrying out the appropriate action. 

13. A method of operating a plant where 
predetermined action is required upon the occurrence of 
a fault condition, the method including 

graphically displaying a sequence of actions to be 
taken by an operator on the occurrence, of a fault 
condition in the plant; and 

indicating permissible time limits in which the 
action must be taken. 

14. The method as claimed in Claim 13 which 
includes making available predetermined data to enable 
the sequence of actions to be displayed graphically. 
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15. The method as claimed in Claim 13 or Claim 14 
which includes displaying the time in a predetermined 
format and causing the displayed time to be decremented. 

16. The method as claimed in Claim 15 which 
includes, as critical time periods are approached, 
causing the displayed time to change format. 

17. The method as claimed in any one of the 
preceding claims which includes, upon the occurrence of . 
a fault condition, activating an alarm means. 

18. A new indicating system for use in a plant 
where predetermined action is required upon the 
occurrence of a fault condition substantially as 
described and as illustrated herein. 

19. a new method of operating a plant where 
predetermined action is required upon the occurrence of 
a fault condition substantially as described herein. 
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